The concept of Intrusion Detection Systems

Essentially there are two types of IDS systems:

An Active IDS blocks suspected attacks in progress without any human intervention required. Its advantage is that it provides real-time corrective action in response to an attack however it is prone to false alarms and it must be placed on the front-line making it susceptible to attack. Needless to say, its biggest disadvantage is that it can be used to cause a DoS attack by intentionally flooding the system with alarms. An active IDS is also known as an IPS (Intrusion Prevention System).

A Passive IDS is configured to only monitor and analyze network traffic and alert an operator to potential vulnerabilities and attacks. It is easily deployed and these type of systems are not normally susceptible to attacks on themselves. It is however not capable of performing any protective or corrective functions and is vulnerable to flooding and buffer overflow attacks.

Network-based and host-based IDS

Network-based IDS's are usually dual-homed machines strategically placed on a network to monitor all traffic. It generally consists of a network appliance known as a sensor with two or more NIC's operating in promiscuous (monitoring) mode. In addition the switch and port it's patched to must also be put into 'monitor' mode. As already stated before, it is normally on the front line of network intrusion detection.


Host-based IDS's require small programs (or agents) to be installed on individual systems to be monitored. The agents monitor the operating system and write data to log files and/or trigger alarms. It's important to note that as the name implies, a host-based IDS only monitors individual hosts on which it is installed and indeed does not monitor the entire network.

Knowledge-based and behaviour-based IDS

Knowledge-based (or signature-based) IDS systems operate by referencing a database of previous attack profiles and known system vulnerabilities to identify active intrusion attempts. They are more common that behaviour-based IDS systems and have lower false alarms then behaviour-based IDS's. The disadvantage here is that the signature database needs to be continually updated and maintained. New, unique and original attacks may not be detected or possibly even improperly classified.

Behaviour-based IDS (or statistical anomaly-based) systems operate by referencing an initial baseline of activity or a learned patter of normal system activity to identify active intrusion attempts. Deviations from the baseline cause an alarm to be triggered. They are able to dynamically adapt to new unique or original attacked by detecting new trends and behaviours and are less dependent on identifying specific operating system vulnerabilities however they are prone to having higher false alarm rates than knowledge-based IDS's. Frequent changes in the usage pattern may reduce the effectiveness of these systems.

Conclusion

Which ever type of IDS you choose to implement in your system, make sure you vigilantly protect all IDS systems, after all if the primary detection mechanisms are attacked, the organisation will be blind to further attacks.

Popular IDS vendors and products include:

Internet Security Systems (ISS) products:
- Internet Scanner
- System Scanner
- RealSecure
Cisco CSIDS (formerly Netranger)
Snort (freeware IDS for Linux and Windows based systems)

Books referenced:
Snort 2.1 Intrusion Detection Second Edition (Syngress)
CompTIA Security+ (Sybex/Wiley)
CompTIA Security+ (Dummies range)